Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

A security researcher is warning of a new password bypass vulnerability in Apple's macOS High Sierra desktop operating system, though the flaw is not nearly as severe as other issues that Apple has patched recently.

Security researcher Eric Holtman publicly reported the password bypass issue on Jan. 8 by. Apple reportedly already has a fix in place for it as part of the macOS 10.13.3 update, which is in beta testing.

"The AppStore Preferences in System Preferences can be unlocked by a local admin with any bogus password," Holtman warned in an advisory.

Further reading

The AppStore preferences menu in macOS High Sierra provides a number of options for users, including requiring a password to be used for app and in-app purchases. The use of the password lock is intended to provide a mechanism that prevents any user with local access from changing the preferences without entering the proper password.

While enabling users to bypass what should be a set of password-secured options isn't a good idea in any circumstances, the actual risks are somewhat muted. Holtman wrote in the advisory that the flaw only works for users logged in as a local administrator on a macOS High Sierra system. In a series of Twitter messages on Jan. 10 directed at multiple media outlets, Holtman emphasized that the issue is not critical. He noted that any logged-in admin user could easily unlock the AppStore preferences settings if they chose to do so.

"This needs admin access to the machine already and only affects the AppStore prefs," Holtman wrote. "All other system prefs do not unlock this way. Likely an oversight in the security changes in 10.13.x."

The issue, however, is that multiple other password security oversights have been uncovered in macOS High Sierra 10.13.x in the months since the operating system was released in September 2017.

Barely a week after macOS High Sierra debuted, Apple issued a supplemental security update for two critical password-related vulnerabilities in the OS. In November 2017, Apple once again released an update for macOS High Sierra, after a researcher reported via Twitter that anyone could log in as "root" with an empty password on macOS High Sierra.

To be fair, the AppStore issue that was reported on Jan. 8 does not represent as much risk as the November 2017 issue, identified as CVE-2017-13872. With CVE-2017-13872, Apple warned that an attacker could bypass administrator authentication without supplying the administrator's password. With the AppStore preferences issue, an attacker would already need to have root access to a system.

What is worrisome though is that these issues exist in the first place and keep popping up. It's hard enough to keep passwords safe in the modern threat environment, but when system preferences that should be secured by passwords are not actually secured, then there is reason for concern.

It could just be a set of unfortunate coincidences that have led to all the different password-related issues with macOS High Sierra. Then again, as Holtman wrote, it could just be an "oversight." Considering the critical role that passwords continue to play in modern IT security, though, having an oversight in password technologies isn't particularly reassuring.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.